System permissions for RBAC - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

System permissions for RBAC

Following is a list of system permissions that you can grant to or revoke from a role.

Command You must have permission by one of the following ways to run the command
CREATE ROLE

  • Superuser.

  • Users with the CREATE ROLE permission.
DROP ROLE

  • Superuser.

  • Role owner who is either the user that created the role or a user that has been granted the role with the WITH ADMIN OPTION permission.
CREATE USER

  • Superuser.

  • Users with the CREATE USER permission. These users can't create superusers.
DROP USER

  • Superuser.

  • Users with the DROP USER permission.
ALTER USER

  • Superuser.

  • Users with the ALTER USER permission. These users can't change users to superusers or change superusers to users.

  • Current user who wants to change their own password.
CREATE SCHEMA

  • Superuser.

  • Users with the CREATE SCHEMA permission.
DROP SCHEMA

  • Superuser.

  • Users with the DROP SCHEMA permission.

  • Schema owner.
ALTER DEFAULT PRIVILEGES

  • Superuser.

  • Users with the ALTER DEFAULT PRIVILEGES permission.

  • Users changing their own default access permissions.

  • Users setting permissions for schemas that they have access permissions to.
CREATE TABLE

  • Superuser.

  • Users with the CREATE TABLE permission.

  • Users with the CREATE permission on schemas.
DROP TABLE

  • Superuser.

  • Users with the DROP TABLE permission.

  • Table owner with the USAGE permission on the schema.
ALTER TABLE

  • Superuser.

  • Users with the ALTER TABLE permission.

  • Table owner with the USAGE permission on the schema.
CREATE OR REPLACE FUNCTION

  • For CREATE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Users with the USAGE permission on language.

  • For REPLACE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Function owner.
CREATE OR REPLACE EXTERNAL FUNCTION

  • Superuser.

  • Users with the CREATE OR REPLACE EXTERNAL FUNCTION permission.
DROP FUNCTION

  • Superuser.

  • Users with the DROP FUNCTION permission.

  • Function owner.
CREATE OR REPLACE PROCEDURE

  • For CREATE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Users with the USAGE permission on language.

  • For REPLACE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Procedure owner.
DROP PROCEDURE

  • Superuser.

  • Users with the DROP PROCEDURE permission.

  • Procedure owner.
CREATE OR REPLACE VIEW

  • For CREATE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • Users with the CREATE permission on schemas.

  • For REPLACE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • View owner.
DROP VIEW

  • Superuser.

  • Users with the DROP VIEW permission.

  • View owner.
CREATE MODEL

  • Superuser.

  • Users with the CREATE MODEL system permission, who should be able to read the relation of the CREATE MODEL.

  • Users with the CREATE MODEL permission.
DROP MODEL

  • Superuser.

  • Users with the DROP MODEL permission.

  • Model owner.

  • Schema owner.
CREATE DATASHARE

  • Superuser.

  • Users with the CREATE DATASHARE permission.

  • Database owner.
ALTER DATASHARE

  • Superuser.

  • User with the ALTER DATASHARE permission.

  • Users who have the ALTER or ALL permission on the datashare.

  • To add specific objects to a datashare, these users must have the permission on the objects. Users should be the owners of objects or have SELECT, USAGE, or ALL permissions on the objects.
DROP DATASHARE

  • Superuser.

  • Users with the DROP DATASHARE permission.

  • Database owner.
CREATE LIBRARY

  • Superuser.

  • Users with the CREATE LIBRARY permission or with the permission of the specified language.
DROP LIBRARY

  • Superuser.

  • Users with the DROP LIBRARY permission.

  • Library owner.
ANALYZE

  • Superuser.

  • Users with the ANALYZE permission.

  • Owner of the relation.

  • Database owner whom the table is shared to.
CANCEL

  • Superuser canceling their own query.

  • Superuser canceling a user's query.

  • Users with the CANCEL permission canceling a user's query.

  • User canceling their own query.
TRUNCATE TABLE

  • Superuser.

  • Users with the TRUNCATE TABLE permission.

  • Table owner.
VACUUM

  • Superuser.

  • Users with the VACUUM permission.

  • Table owner.

  • Database owner whom the table is shared to.
IGNORE RLS

  • Superuser.

  • Users within the sys:secadmin role.
EXPLAIN RLS

  • Superuser.

  • Users within the sys:secadmin role.
EXPLAIN MASKING

  • Superuser.

  • Users within the sys:secadmin role.